Is it possible to prevent man in the browser attack at the server with hardware device [closed]

Question

Recently I found a hardware device that can prevent bot attacks by changing html DOM elements on the fly The details are mentioned here

The html input element id and name and also form element action will be replaced with some random string before page is sent to client. After client submit, the hardware device replace its values with originals. So the server code will remain on change and bots can not work on fixed input name, id.

That was the total idea, BUT they also have claimed that this product can solve the man in the browser attack.

http://techxplore.com/news/2014-01-world-botwall.html :

Shape Security claims that the added code to a web site won't cause any noticeable delays to the user interface (or how it appears) and that it works against other types of attacks as well, such as account takeover, and man-in-the-browser. They note that their approach works because it deflects attacks in real time whereas code for botnets is changed only when it installs (to change its signature).

Theoretically is it possible that some one can prevent the man in the browser attack at the server?!

Answer 1

Theoretically is it possible that some one can prevent the man in the browser attack at the server?!

Nope. Clearly the compromised client can do anything a real user can.

Making your pages more resistant to automation is potentially an arms race of updates and countermeasures. Obfuscation like this can at best make it annoying enough to automate your site that it's not worth it to the attacker—that is, you try to make yourself no longer the ‘low-hanging fruit’.

They note that their approach works because it deflects attacks in real time whereas code for botnets is changed only when it installs (to change its signature).

This seems pretty meaningless. Bots naturally can update their own code. Indeed banking trojans commonly update themselves to work around changes to account login pages. Unless the service includes live updates pushed out to the filter boxes to work around these updates, you still don't win.

(Such an Automation Arms Race As A Service would be an interesting proposition. However I would be worried about new obfuscation features breaking your applications. For example imagine what would happen for the noddy form-field-renaming example on the linked site if you have your own client-side scripts were relying on those names. Or indeed if your whole site was a client-side Single Page App, this would have no effect.)